Shared services programme: phase 1 programme closure report

6.0 Governance and audit timeline

Progress against the programme plan was closely managed by the Programme Management Board (PMB) and overseen by the Steering Committee (SteerCo). In addition, regular external checkpoint reviews were carried out, and recommendations were acted upon.

The following are the key assurance milestones set out for the programme. Progress was closely monitored and action plans developed and progressed in line with findings:

• December 2020 - Gateway Review – Programme Assessment Review (PAR) Strategic Intent Shared Services Transformation Programme - External checkpoint
• January 2021 - TAF Digital First Checkpoint - External checkpoint
• April 2021 - Gateway 2 Delivery Strategy Shared Services Transformation Programme - External checkpoint
• May 2021 - TAF Digital First Discovery Assessment - External checkpoint
• May 2021 - TAF Pre-Procurement for Software - External checkpoint
• November 2021 - TAF Pre-Procurement Gate for System Integrator - External checkpoint
• December 2021 - Gateway Healthcheck - External checkpoint
• March 2022 - Gateway Review Assurance of Action Plan - External checkpoint
• April 2022 - Gateway Healthcheck Final Business Case - External checkpoint
• June 2022 - Gateway Healthcheck Programme Set Up - External checkpoint
• March 2023 - TAF, Delivery Gate HR Workstream - External checkpoint
• July 2023 - Gateway 0 Strategic Assessment - External checkpoint
• August 2023 - HR UAT Entry - External checkpoint
• September 2023 - Payroll Comparison Test Entry - Internal Stage Gate
• November 2023 - Finance UAT Entry - Internal Stage Gate
• December 2023 - Gateway Review - Assurance of Action Plan - External checkpoint
• December 2023 - TAF, Digital Scotland Service Standard – User Centred Design Checkpoint - External checkpoint
• April 2024 - UAT Exit - Internal Stage Gate
• May 2024 - Hybrid TAF Delivery Gate - External checkpoint
• July 2024 - Hybrid TAF - Assurance of Action Plan - External checkpoint
• July 2024 - Joint HR/FIN Dress Rehearsal Entry - Internal Stage Gate
• July 2024 - Production Code Deployment - Internal Stage Gate
• August 2024 - TAF Go Live Gate - External checkpoint
• August 2024 - Business Cutover Entry - Internal Stage Gate
• September 2024 - Soft Go Live - Internal Stage Gate
• September 2024 - Go Live - Internal Stage Gate
• October 2024 - HR (HCM) Business Checkout - Internal Stage Gate

Audit

In recent months the Oracle platform has been the subject of a number of audits:

• Audit Scotland conducted an extensive audit of the Oracle Cloud Implementation as part of SG’s 2024/25 Annual Report and Accounts. While noting that in the early stages of the programme there was an element of optimism bias in regard to costs and time frame, Audit Scotland recognised that appropriate governance arrangements were put in place to deliver the programme, that the transformation was well planned, managed and executed, and that Oracle Cloud has strengthened the security of our data. The report can be found on Audit Scotland’s website.
• SG Internal Audit has recently reviewed the governance and counter fraud controls to provide assurance and compliance with all relevant processes. A small number of minor governance recommendations were raised, all of which had already been identified and are being actioned. In addition, the need for a Fraud Response plan and related Risk Assessments was identified.
• SG’s Cyber Security team has recently conducted a review of our controls as part of the UK GovAssure process and found that Oracle has completed Stage 3 of the GovAssure assessment. This report confirms strong controls across all assessed areas.
• We are currently undergoing an audit of our process controls under the International Standard on Assurance Engagements (ISAE) 3402 framework. Early indications are that the audit will make only a small number of minor recommendations for our Oracle management controls.

Audit Recommendations

In reference to the findings from Audit Scotland’s audit of the Scottish Government’s Consolidated Accounts, the following recommendations were made, with the relevant response in October 2025 shared with Audit Scotland:

• Audit Scotland recommendation - Recommendation 11 – Resolution of support tickets

The new prioritisation criteria still need to be embedded within the iFix support process. Management should also develop reporting tools that would enable the number and age of the open tickets in each priority category to be monitored and reported. Target timescales should also be developed for the resolution of each of the 9 prioritisation categories.

SG response : A review of the arrangements for handling support tickets has been carried out and recommendations prepared. These recommendations are expected to be implemented by summer 2026 and include incorporation of the prioritisation criteria to support ticket allocation by queue managers and categorisation of tickets for reporting including target timescales.

• Audit Scotland recommendation - Recommendation 12 – Oracle post-implementation review

The Oracle Cloud post-implementation review should consider the impact of optimism bias on the original estimates for the timescale and costs of the project; and include feedback from Oracle Cloud user bodies on their experience of the implementation process, and the training and post-implementation support provided.

SG response : The Shared Services Programme (Phase One) close down report will review the implementation of Oracle Cloud. This will also further explain why due to a lack of comparable programmes and limited recent experience in complex transformation delivery costs increased from initial estimates of £22 million to £59.5 million. The report is due for completion and internal approval by December 2025.

• Audit Scotland recommendation - Recommendation 13 – Delivery of anticipated Oracle Cloud benefits

The Scottish Government should develop a benefits delivery plan that sets out the key steps to deliver the cultural change required to realise the anticipated benefits from Oracle Cloud, and achieve the operational efficiencies and service delivery improvements envisaged when the new system was procured.

SG response : An Oracle Cloud Benefits Management Strategy was approved at the Oracle Cloud Management Board in June 2025 and an update on our approach to benefits realisation provided to the August 2025 meetings of the Scottish Government Audit and Assurance Committee and DG Corporate Assurance. Our first benefits checkpoint report will be produced by end 2025 and include a commitment to regular benefits reporting

On 30 August 2024 the Director-General (DG) Corporate, as Accountable Officer, sent a Corporate Clients Assurance Letter to customers, and a further update was issued on 7t March 2025. These provided assurances on the controls and standards applied throughout the life of the programme, through its implementation and Hypercare period. Assurance was provided in the following areas:

1. Overall Platform Design and Build

2. Governance

3. Risk Management

4. Testing

5. Accessibility

6. Training

7. Memorandum of Understanding

8. Cutover Process

9. Data

10. Security and Cyber security measures

11. Counter Fraud

12. Financial Reporting

13. Budget Planning

14. Audit

15. Go Live Preparation

16. Compliance

17. Hypercare

18. System Reliability and Business Continuity

19. Incident Management

20. Disaster Recovery

21. Future Plan